[squid-users] Re: Issues with squid_ldap_auth against a windows AD Server

From: Mike Langhorst <mike.langhorst_at_gmail.com>
Date: Wed, 25 Aug 2010 15:55:02 -0700

So, making some progress I think, but seeing unexpected behavior. I
changed the " to ' surrounding my DN, and got more output in the squid
log. However it's definitely behaving differently from within squid
then from cli.

Attempting to auth my browser (firefox) pointing to squid I get the
following when I enter my sAMAccountName:

attempting to authenticate user 'uid=mlanghorst,dc=oa,dc=domain,dc=com'

This will obviously fail as AD doesn't use uid, nor is that the
correct DN for my account. Now trying this exact string from the
command line gives the following:

user filter 'sAMAccountName=myuser', searchbase 'dc=oa,dc=domain,dc=com'
attempting to authenticate user 'CN=User\,
My,OU=Basic,OU=Users,DC=oa,DC=domain,DC=com'
OK

This is my correct DN.

Now I see I can use the -u switch to tell specifically tell it to use
sAMAccountName, but I would then need to tell it how to construct the
DN which simply won't work. We have multiple peers to OU=Basic, as
well as an ou for service accounts. It appears that it's just
ignoring the -f flag when called from squid.

On Wed, Aug 25, 2010 at 11:51 AM, Mike Langhorst
<mike.langhorst_at_gmail.com> wrote:
> I've been struggling with getting Squid to authenticate against AD using
> squid_ldap_auth.
> OS:  OEL 5.3 (Redhat)
> Squid: squid-2.6.STABLE21-3.el5
> I've been able to get it to authenticate successfully against SunONE
> Directory server, but our internal users aren't in that LDAP but should in
> theory show the pieces are functional.
> Here's the relevant section from squid.conf, obfuscation where necessary:
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -d -R -v 3 -d -b
> "dc=oa,dc=DOMAIN,dc=com" -D "CN=SURNAME\,
> Givenname,OU=Basic,OU=Users,DC=oa,DC=DOMAIN,DC=com" -w "XXXXXX" -f
> sAMAccountName=%s -h AD_SERVER.oa.domain.com
> auth_param basic children 5
> auth_param basic realm "Restricted Use"
> auth_param basic credentialsttl 10 minutes
> Having this in squid.conf gives the error:
> squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
> However if I copy & paste this exact line starting with
> the /usr/lib64/squid/squid_ldap_auth is successful:
> bash-3.2$ /usr/lib64/squid/squid_ldap_auth -d -R -v 3 -d -b
> "dc=oa,dc=DOMAIN,dc=com" -D "CN=SURNAME\,
> Givenname,OU=Basic,OU=Users,DC=oa,DC=DOMAIN,DC=com" -w "XXXXXXX" -f
> sAMAccountName=%s -h AD_SERVER.oa.domain.com
> user2 pass
> user filter 'sAMAccountName=user2', searchbase 'dc=oa,dc=DOMAIN,dc=com'
> attempting to authenticate user
> 'CN=lastname\, firstname,OU=Basic,OU=ISO_Users,DC=oa,DC=caiso,DC=com'
> OK
> Any ideas from the list?  All searches tell me the user or password is
> wrong, but that's not the case.  Looks like squid's parsing of the binddn
> seems broken on this.
Received on Wed Aug 25 2010 - 22:55:08 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 26 2010 - 12:00:02 MDT